Data protection by default and design

Privacy by design and by default” is part of the accountability principle to which the data controller is subject.

The essential obligation resulting from the obligation of data protection by design and by default consists in the implementation of appropriate measures and necessary safeguards to ensure, by design and by default, the effective implementation of the data protection principles and, consequently, of the rights and freedoms of the data subjects.

When planning a new processing operation, prior to its implementation, and on an ongoing basis once implemented, if applicable, the controller must consider the obligation to protect data by design and by default.

The controller must ensure that the processing is constantly updated in accordance with the GDPR by ensuring appropriate and effective data protection.

Data protection by design and data protection by default are an obligation for all data controllers, regardless of the size and complexity of the processing.

However, the complexity of implementing the protection may vary depending on the processing operation concerned.

Data protection measures by design and by default may include, but are not limited to:

To reduce to a minimum the processing of personal data;
To pseudonymize personal data as soon as possible;
To guarantee transparency with regard to the functions and processing of personal data;
To allow the data subject to control the processing of his or her data,
To enable the data controller to implement or improve security features.

GDPR Point

” The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires that appropriate technical and organizational measures b taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet, in particular, the principles of data protection by design and data protection by default. “

Recital 78 of the GDPR

Point of jurisprudence

The Italian supervisory authority states that:

” in consideration of the risk to the rights and freedoms of data subjects, the controller, also with the support of the Data Protection Officer, must “by design” and “by default” (Article 25 of the Regulation) adopt adequate technical and organizational measures to implement the data protection principles (Article 5 of the Regulation), such as the principles of minimization and limitation of retention referred to in Articles. 5, para. 1, lett. (c) and (e) of the Regulation) and incorporate in the processing the safeguards necessary to meet the requirements of the Regulation and to protect the rights and freedoms of data subjects.

This also applies when the controller uses products or services offered by third parties, giving, if necessary, the necessary instructions to the processor and ensuring, for example, that functions that have no legal basis or are not compatible with the purposes of the processing are deactivated. “

Garante per la protezione dei dati personali, 16 September 2021, N°9703988

The Bouchara Law firm assists you in particular in :

Making your organization GDPR compliant;
The drafting of data protection policies (privacy policy, computer charter …);
Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
Obtaining certifications and adhering to codes of conduct;
The study of the legal feasibility of the implementation of a new personal data processing;
The drafting and transmission of your codes of conduct to the CNIL for approval;
Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
Drafting and negotiating your data processing agreements (DPA);
Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
Training and awareness of your employees.